====== IPTABLES (firewall) ======
===== commands =====
|services iptable start | or stop, restart |
|iptables -L | look at what the firewall thinks it is doing |
|iptables stop| |
|iptables -L INPUT | look at the input ports |
|/etc/init.d/iptables stop | |
|/sbin/iptables stop| |
| service iptables save | use this after iptables tweaked|
\\
^ for localhost ^
|iptables -A INPUT -s 127.0.0.1 -j ACCEPT|
|iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT|
\\
For sendmail: open port 25 to receive input.
-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
For POP3:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
For IMAP:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 143 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Reject ICMP requests:
iptables -A INPUT -p icmp -m state --state NEW -j DROP
===== /etc/sysconfig/iptables =====
iptables = configuration for the firewall
The order of the lines in this file may be significant. I'm not sure.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2571:527834]
#
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#
# port 111 is used for RPCbind--it wasn't a good idea to close it ...
#
#-A INPUT -p tcp --dport 111 -j DROP
#-A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
#
#
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
#
#
-A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
COMMIT
#
===== udp port 5353 =====
/etc/services associates it with "Multicast DNS".